Box Enterprise Shared Links Leak Sensitive Information

All companies using Box enterprise cloud storage get their own sub-domain, and the service also allows for the easy sharing of documents stored on Box, via unique URLs. However, it is rather trivial to brute-force the sub-domain, shared URL, and folder names, the researchers discovered.

The issue isn’t new and has been reported on in the past, but remains a problem, at least if access isn’t configured properly. Access to Box Shared Links can be set to anyone with the link, users within a Box enterprise or with accounts on the sub-domain, or only to the users who have been invited to a folder/file.

Without properly configured access, tons of sensitive information could be exposed to the Internet, and this is exactly what Adversis has discovered.

“After identifying thousands of Box customer sub-domains through standard intelligence gathering techniques and using a relatively large wordlist, we discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers,” the researchers say.

While most of the data was public, some of it included sensitive information such as passport photos, social security and bank account numbers, high profile technology prototype and design files, employee lists, financial data, invoices, internal issue trackers, customer lists and archives of years of internal meetings, and IT data, VPN configurations, and network diagrams.

The researchers say that the sheer number of impacted companies made it impossible to notify all of them. However, with some organizations having thousands of sensitive documents accessible to anyone, Adversis notified only those with highly sensitive data exposed.

Box too was made aware of the issue, and the company updated its guidelines to underline the fact that Custom Shared Links could expose sensitive information, given that anyone able to guess the URL could access the content.

To reduce the accidental creation of public links, Box recommends restricting Shared Link access to users within the company, keeping constant track of public custom shared links, and avoiding to create public custom shared links to content not intended for public consumption.

The security researchers also published on GitHub code that makes it easy to find the Box accounts of organizations and start scanning for exposed content.